We reported last month that a buffer overflow in many BSD-derived telnet daemons may, under some circumstances, be exploitable by a remote attacker to gain root access. At that time, it was reported that the Linux telnet daemon was vulnerable in netkit versions before 0.14. This appears to be incorrect, and reports indicate that versions of netkit earlier than 0.17 are vulnerable. Distributions that have been reported to be vulnerable include: Debian 2.2 potato; Caldera OpenServer 5; and Red Hat 5.2, 6.2, 7.0, and 7.1.

In addition to the problems with the telnet daemons in these Linux distributions, IBM has announced that AIX 4.3.x and 5.1 are vulnerable to this problem and has released temporary fixes for the vulnerability.

There is a temporary-file race condition attack against the version of AllCommerce distributed with EnGarde Secure Linux. This race condition can be used by a local user to overwrite files on the server with the permissions of the user account running the Web server. The AllCommerce package that was distributed with EnGarde Secure Linux had several debugging options turned on, and created temporary files in the /tmp directory with predictable names.

It is recommended that users of AllCommerce under EnGarde Secure Linux should upgrade to the most recent version of the package.

On ZyXEL Prestige 642R and 642R-I ADSL routers, the FTP, telnet, and administrative services are available on the WAN interface. It also has been reported that a scan of ZyXEL Prestige routers found that 45% have never had their factory default password changed. These two problems can be used by an attacker to change the router's firmware, change its configuration, and attack devices on the internal network.

It is recommended that all network devices have their default passwords changed, and that owners of ZyXEL Prestige 642R and 642R-I ADSL routers change their remote node filter so that it does not allow outside connections to its services.

The Window Maker window manager for X has a buffer overflow in the code that handles the window titles in the window list menu. Applications that set the window title using untrusted data may be usable by a remote attacker to execute arbitrary code on the local machine as the user running Window Maker.

It is recommended that users upgrade Window Maker as soon as possible.

The fetchmail IMAP and POP client has two remotely-exploitable vulnerabilities. Both of these vulnerabilities require the attacker to be in control of, or impersonate, the mail server the user is attempting to download mail from.

Users should upgrade fetchmail to version 5.8.17 or newer as soon as possible.

The xlock distributed with Solaris OpenView has a buffer overflow that may be exploitable by a local user to gain root privileges. The buffer overflow is exploited by using the environmental variables XFILESEARCHPATH and XUSERFILESEARCHPATH.

Users should remove the set user id bit from xlock until a patch has been installed from Sun.

docview is a set of CGI scripts distributed with Caldera OpenLinux used to view system documentation via the Web. A failure to check a argument in one of docview's scripts can be exploited to execute arbitrary code with the permissions of the user running the Web server. Versions of OpenLinux that are vulnerable to this problem include OpenLinux Server 3.1 and OpenLinux Workstation 3.1.

Caldera recommends that users upgrade to the latest docview packages as soon as possible.

rcs2log, a utility that converts RCS logs into a ChangeLog file, has a temporary-file race condition that can be exploited by a local user to overwrite files with the permissions of the user executing rcs2log.

Users should watch their vendor for an update or patch for this problem.

The ColdFusion Server 5 for Linux has a bug that can crash the server and dump ColdFusion's memory into a log directory, where it can be read by any local user. This bug can only be exploited by a user with permission to write ColdFusion code and place it on the server so that the Web server will cause it to be executed.

Users should watch Macromedia for a patch or an update for this problem.